Version in base suite: 1.26.3-4

Base version: gst-plugins-ugly1.0_1.26.3-4
Target version: gst-plugins-ugly1.0_1.26.3-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-ugly1.0/gst-plugins-ugly1.0_1.26.3-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-ugly1.0/gst-plugins-ugly1.0_1.26.3-4+deb13u1.dsc

 changelog                   |    7 ++++++
 patches/CVE-2026-2920.patch |   43 ++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-2922.patch |   45 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    2 +
 4 files changed, 97 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppo8sa6ws/gst-plugins-ugly1.0_1.26.3-4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppo8sa6ws/gst-plugins-ugly1.0_1.26.3-4+deb13u1.dsc: no acceptable signature found
diff -Nru gst-plugins-ugly1.0-1.26.3/debian/changelog gst-plugins-ugly1.0-1.26.3/debian/changelog
--- gst-plugins-ugly1.0-1.26.3/debian/changelog	2025-06-28 12:08:38.000000000 +0000
+++ gst-plugins-ugly1.0-1.26.3/debian/changelog	2026-03-29 21:48:47.000000000 +0000
@@ -1,3 +1,10 @@
+gst-plugins-ugly1.0 (1.26.3-4+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-2920
+  * CVE-2026-2922
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 29 Mar 2026 23:48:47 +0200
+
 gst-plugins-ugly1.0 (1.26.3-4) unstable; urgency=medium
 
   * Team upload
diff -Nru gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2920.patch gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2920.patch
--- gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2920.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2920.patch	2026-03-29 21:48:47.000000000 +0000
@@ -0,0 +1,43 @@
+From 3dc4244f030a0af077b9f87fd8ad50d4032428ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 11 Feb 2026 19:27:09 +0200
+Subject: [PATCH] asfdemux: Error out on files with more than 32 streams
+
+--- gst-plugins-ugly1.0-1.26.3.orig/gst/asfdemux/gstasfdemux.c
++++ gst-plugins-ugly1.0-1.26.3/gst/asfdemux/gstasfdemux.c
+@@ -2616,6 +2616,9 @@ gst_asf_demux_setup_pad (GstASFDemux * d
+ {
+   AsfStream *stream;
+ 
++  /* Checked in the callers */
++  g_assert (demux->num_streams < G_N_ELEMENTS (demux->stream));
++
+   gst_pad_use_fixed_caps (src_pad);
+   gst_pad_set_caps (src_pad, caps);
+ 
+@@ -3071,6 +3074,12 @@ gst_asf_demux_parse_stream_object (GstAS
+     case ASF_STREAM_AUDIO:{
+       asf_stream_audio audio_object;
+ 
++      if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) {
++        GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL),
++            ("File has too many streams"));
++        return NULL;
++      }
++
+       if (!gst_asf_demux_get_stream_audio (&audio_object, &data, &size))
+         goto not_enough_data;
+ 
+@@ -3149,6 +3158,12 @@ gst_asf_demux_parse_stream_object (GstAS
+       asf_stream_video video_object;
+       guint16 vsize;
+ 
++      if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) {
++        GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL),
++            ("File has too many streams"));
++        return NULL;
++      }
++
+       if (!gst_asf_demux_get_stream_video (&video_object, &data, &size))
+         goto not_enough_data;
+ 
diff -Nru gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2922.patch gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2922.patch
--- gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2922.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-ugly1.0-1.26.3/debian/patches/CVE-2026-2922.patch	2026-03-29 21:48:47.000000000 +0000
@@ -0,0 +1,45 @@
+From 4ce6a65ea4440afab9a1b35334c6d100de5cf0a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 11 Feb 2026 19:58:31 +0200
+Subject: [PATCH] rmdemux: Check if new video fragment overflows the fragment
+ storage before storing it
+
+From 2d0c93dbc2307a1a1d0e067e725ba6a457729bb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 11 Feb 2026 20:00:04 +0200
+Subject: [PATCH] rmdemux: Avoid integer overflow when checking if enough data
+ is available for video fragment
+
+--- gst-plugins-ugly1.0-1.26.3.orig/gst/realmedia/rmdemux.c
++++ gst-plugins-ugly1.0-1.26.3/gst/realmedia/rmdemux.c
+@@ -2348,7 +2348,8 @@ gst_rmdemux_parse_video_packet (GstRMDem
+     }
+     GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+ 
+-    if (map.size < (data - map.data) + fragment_size)
++    if (fragment_size > map.size
++        || (data - map.data) > map.size - fragment_size)
+       goto not_enough_data;
+ 
+     /* get the fragment */
+@@ -2369,15 +2370,17 @@ gst_rmdemux_parse_video_packet (GstRMDem
+       stream->frag_length = fragment_size;
+     }
+ 
++    if (stream->frag_count >= MAX_FRAGS) {
++      gst_buffer_unref (fragment);
++      goto too_many_fragments;
++    }
++
+     /* put fragment in adapter */
+     gst_adapter_push (stream->adapter, fragment);
+     stream->frag_offset[stream->frag_count] = stream->frag_current;
+     stream->frag_current += fragment_size;
+     stream->frag_count++;
+ 
+-    if (stream->frag_count > MAX_FRAGS)
+-      goto too_many_fragments;
+-
+     GST_DEBUG_OBJECT (rmdemux, "stored fragment in adapter %d/%d",
+         stream->frag_current, stream->frag_length);
+ 
diff -Nru gst-plugins-ugly1.0-1.26.3/debian/patches/series gst-plugins-ugly1.0-1.26.3/debian/patches/series
--- gst-plugins-ugly1.0-1.26.3/debian/patches/series	2025-06-28 12:08:38.000000000 +0000
+++ gst-plugins-ugly1.0-1.26.3/debian/patches/series	2026-03-29 21:48:47.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2026-2920.patch
+CVE-2026-2922.patch